b'GENERAL SERVICES ADMINISTRATION\n   OFFICE OF INSPECTOR GENERAL\n\n\n\n      Audit of PBS\xe2\x80\x99s Controls over Security of\n    Building Information in Online Environments\n\n         Report Number A070216/P/R/R10003\n                  March 31, 2010\n\x0cDate:         March 31, 2010\n\nReply to      R. Nicholas Goco\nAttn of:      Deputy Assistant Inspector General\n              for Real Property Audits (JA-R)\n\nSubject:      Audit of PBS\xe2\x80\x99s Controls over Security of Building Information\n              in Online Environments\n              Report Number A070216/P/R/R10003\n\nTo:           Robert A. Peck\n              Commissioner, Public Buildings Service (P)\n\nThis report presents the results of our review of the controls PBS has implemented to protect\nsensitive building information in online environments. There is a concern that unrestricted\nconstruction documents pose a vulnerability that could be exploited by terrorists or other\ncriminal elements. Public Buildings Service (PBS) policy includes the following principles\nregarding sensitive building information: 1) only give the information to those who have a\n\xe2\x80\x9cneed-to-know\xe2\x80\x9d; 2) keep records of who received the information; and 3) safeguard the\ninformation during use and destroy it properly after use. In September 2008, the GSA Office of\nInspector General (OIG) issued a review of PBS\xe2\x80\x99s controls over the security of paper and\nremovable media. During the course of the audit fieldwork, the OIG became aware of PBS\xe2\x80\x99s use\nof electronic project management software (e-PM) applications, as far back as 1998. Many of\nthese applications, which contain sensitive but unclassified building information, did not appear\nto be under the purview of either the GSA Office of the Chief Information Officer (OCIO) or the\nPBS OCIO.\n\nConsequently, on September 3, 2008, the OIG notified senior PBS management of our initial\nconcerns in this area and initiated a separate review focusing on the security controls over\nsensitive but unclassified building information in online information systems. Overall, this\nreview disclosed that PBS needs to place a greater emphasis on security over its sensitive\nbuilding information in online environments. In particular, PBS needs to develop and implement\na security strategy for existing e-PM applications and any that may be employed in the future.\nPBS also needs to conduct more security awareness training to raise the level of attention to\nonline data security within the organization.\n\nIf you have any questions regarding this report, please contact me or R. Nicholas Goco, Deputy\nAssistant Inspector General for Real Property Audits, on (202) 219-0088.\n\n\nSusan P. Hall\nAudit Manager\nReal Property Audit Office (JA-R)\n\x0c       Audit of PBS\xe2\x80\x99s Controls over Security of Building\n              Information in Online Environments\n                           Report Number A070216/P/R/R10003\n\nEXECUTIVE SUMMARY ................................................................................................. i\nINTRODUCTION .............................................................................................................. 1\n   Background ..................................................................................................................... 1\n   Objective, Scope and Methodology ................................................................................ 2\nRESULTS OF AUDIT........................................................................................................ 4\n   Although PBS has used e-PM technologies since 1998, the systems have been used\n   and procured independent of PBS\xe2\x80\x99s security program. .................................................. 4\n   Sensitive data found on GSA internal web-sites indicates the need for additional\n   security training and awareness. ..................................................................................... 9\nCONCLUSION ................................................................................................................. 10\nRECOMMENDATIONS .................................................................................................. 10\nMANAGEMENT COMMENTS ...................................................................................... 11\nINTERNAL CONTROLS ................................................................................................ 11\nAPPENDICES\n\n  Management Response ................................................................................................ A-1\n  Report Distribution ...................................................................................................... B-1\n\x0c             Audit of PBS\xe2\x80\x99s Controls over Security of Building\n                    Information in Online Environments\n                           Report Number A070216/P/R/R10003\n\nEXECUTIVE SUMMARY\n                                             Purpose\nThe objective of our review of the Public Buildings Service\xe2\x80\x99s (PBS) efforts to protect sensitive\nbuilding information in online environments was to determine if PBS has implemented\nmanagerial, physical, and technical controls to effectively mitigate risks inherent to sensitive but\nunclassified building information in online systems.\n\n                                          Background\nA priority for the General Services Administration (GSA) is the physical protection of Federal\nemployees, the visiting public, and its facilities. There is a concern that unrestricted construction\ndocuments pose a vulnerability that could be exploited by terrorists or other criminal elements.\nPublic Buildings Service (PBS) policy includes the following principles regarding sensitive\nbuilding information: 1) only give the information to those who have a \xe2\x80\x9cneed-to-know\xe2\x80\x9d; 2) keep\nrecords of who received the information; and 3) safeguard the information during use and\ndestroy it properly after use. This policy encompasses security requirements for the\ndissemination of electronic documents, including physical facility information such as building\ndesigns, construction plans, specifications, and any other information considered a security risk.\nPBS employees are required to protect sensitive building data using techniques such as data\nencryption, appropriate sanitization/disposal of media, and incident handling procedures.\n\nIn September 2008, the GSA Office of Inspector General (OIG) issued a review of PBS\xe2\x80\x99s\ncontrols over the security of paper and removable media. During the course of audit fieldwork,\nthe OIG became aware of PBS\xe2\x80\x99s use of electronic project management software (e-PM)\napplications, as far back as 1998. Many of these applications, which contain sensitive but\nunclassified building information, did not appear to be under the purview of either the GSA\nOffice of the Chief Information Officer (OCIO) or the PBS OCIO. Consequently, on September\n3, 2008, the OIG notified senior PBS management of our initial concerns in this area and\ninitiated a separate review focusing on the security controls over sensitive but unclassified\nbuilding information in online information systems.\n\n                                        Results in Brief\nThe Public Buildings Service needs to improve its controls over sensitive building information in\nonline environments to reduce the risk of inappropriate disclosure of information that may result\nin harm to people or property. In particular, electronic project management technologies and\ngroupware, such as intranet websites, present vulnerabilities that need to be addressed through\nstronger controls.\n\n\n                                                  i\n\x0cIn the late 1990s, PBS project teams began using e-PM technologies as a tool to enable PBS and\nits construction contractors to electronically share project data. However, PBS has not included\nthese systems under the purview of its security program or ensured compliance with Federal\nInformation Security Management Act (FISMA) requirements. For example, PBS policy\nessentially charged construction project managers with security responsibilities without support\nfrom either the GSA Office of the Senior Agency Information Security Officer or the PBS\nOCIO. Further, the contractual agreements with the providers of the e-PM solutions in our audit\nsample did not include language to enforce IT security requirements or provide for testing rights\nand only one specified data archival requirements. PBS is currently conducting a pilot for a new\nenterprise-wide e-PM system. Many of the security related concerns raised in this review appear\nto be addressed in the contractual language for the new enterprise-wide e-PM system. However,\ndata remains vulnerable until the new enterprise-wide e-PM system is successfully implemented.\n\nA related issue that also needs to be addressed is that of controls over sensitive but unclassified\ndata shared generally within the GSA environment through regional web pages. The multiple\ninstances of inadequately protected sensitive data encountered during the OIG\xe2\x80\x99s testing of PBS\xe2\x80\x99s\ngroupware/intranet controls indicate a lack of awareness among PBS personnel regarding\ninformation security principles.\n\nOverall, PBS needs to place a greater emphasis on security over its sensitive building\ninformation in online environments. In particular, PBS needs to develop and implement a\nsecurity strategy for existing e-PM applications and any that may be employed in the future.\nPBS also needs to conduct more security awareness training to raise the level of attention to\nonline data security within the organization.\n\nRecommendations\nWe recommend that the PBS Commissioner\n\n   1) Work within the framework of the GSA OCIO security program to develop and\n      implement a security strategy for e-PM applications. The security strategy should\n      address\n\n       a) The identification and inventory of e-PM applications currently in use that are not\n          under the purview of a security program;\n\n       b) Security control testing on existing e-PM applications and procedures for ongoing\n          monitoring and correction;\n\n       c) IT security roles for existing PBS e-PM applications as required by GSA CIO P\n          2100.1E and identify FISMA points-of-contact for the FISMA points-of-contact list\n          published by the GSA OCIO;\n\n       d) Procedural guidance to the Contracting Officer, Contracting Officer Technical\n          Representative, Project Manager and Project Executive related to IT contracts or\n\n\n                                                ii\n\x0c       contracts containing IT, considering PBS 3490.1A, GSA CIO P 2100.1E, and other\n       GSA CIO procedural guides;\n\n   e) Policies and procedures for PBS OCIO oversight during the entire system lifecycle\n      for any project using electronic project management tools; and\n\n   f) The amendment of existing contracts, where feasible, related to the acquisition of\n      electronic project management services and development of boilerplate contract\n      language that includes\n\n       i)     Current applicable GSA, PBS, and Federal laws, regulations and policy;\n       ii)    Security control assessment rights;\n       iii)   Requirements for the inclusion of security requirements in subcontracts; and\n       iv)    Project data archival requirements.\n\n2) Develop and conduct additional security awareness training for project management and\n   contracting personnel, especially for those with significant security responsibilities.\n   Include a focus on requirements for extranet based e-PM applications where appropriate,\n   a review of PBS sensitive but unclassified information policy, and instruction on the\n   protection of sensitive data in PBS groupware/intranet environments.\n\n\n\n\n                                              iii\n\x0c             Audit of PBS\xe2\x80\x99s Controls over Security of Building\n                   Information in Online Environments\n                          Report Number A070216/P/R/R10003\n\nINTRODUCTION\n\n                                        Background\nA priority for the General Services Administration (GSA) Public Buildings Service (PBS) is the\nphysical protection of Federal employees, the visiting public, and its facilities. There is a\nconcern that unrestricted construction documents pose a vulnerability that could be exploited by\nterrorists or other criminal elements. GSA must balance security concerns with the need for\nbuilding data to be accessible to those authorized to conduct Government business.\n\nIn order to reduce the exposure to possible attacks or threats to GSA-controlled facilities, PBS\nissued in March 2002, GSA Order, PBS 3490.1 (PBS 3490.1) entitled, \xe2\x80\x9cDocument security for\nsensitive but unclassified paper and electronic building information.\xe2\x80\x9d The principles of this\npolicy are: 1) only give the information to those who have a \xe2\x80\x9cneed-to-know\xe2\x80\x9d; 2) keep records of\nwho received the information; and 3) safeguard the information during use and destroy it\nproperly after use. This policy defined security requirements for the dissemination of electronic\ndocuments, including physical facility information such as building designs, construction plans,\nspecifications, and any other information considered a security risk. On June 1, 2009, PBS\nupdated its sensitive but unclassified policy with GSA Order PBS 3490.1A, entitled \xe2\x80\x9cDocument\nsecurity for sensitive but unclassified building information.\xe2\x80\x9d The revised policy requires PBS\nemployees to adhere to encryption, sanitization/disposal, and incident handling requirements.\n\nIn September 2008, the GSA Office of Inspector General (OIG) issued a review of PBS\xe2\x80\x99s\ncontrols over the security of paper and removable media entitled \xe2\x80\x9cAudit of PBS\xe2\x80\x99s Controls over\nSecurity of Building Information, Report Number A070216/P/R/R08005.\xe2\x80\x9d The OIG found that\nthe implementation of the controls to meet the requirements for safeguarding sensitive building\ninformation on hardcopy and removable media across PBS varied widely; oversight practices\nwere inconsistent; and many contracts did not include the contractor\xe2\x80\x99s responsibility to use\nreasonable care to protect sensitive building information. The review also disclosed that while\nthe majority of PBS staff interviewed were aware of PBS\xe2\x80\x99s sensitive but unclassified policy, few\nhad received formal training in the requirements and how to implement them.\n\nDuring the course of audit fieldwork, the OIG became aware of PBS\xe2\x80\x99s use of electronic project\nmanagement software (e-PM) applications, as far back as 1998. Many of these applications,\nwhich contain sensitive but unclassified building information, did not appear to be under the\npurview of either the GSA Office of the Chief Information Officer (OCIO) or PBS OCIO. These\ntools were being provided by various software vendors and application service providers.\nConsequently, on September 3, 2008, the OIG notified senior PBS management of our initial\nconcerns in this area and initiated a separate review focusing on the security controls over\nsensitive but unclassified building information in online information systems.\n\n\n\n                                               1\n\x0c                                 Objective, Scope and Methodology\nThe objective of our review of PBS\xe2\x80\x99s efforts to protect sensitive building information in online\nenvironments was to determine if PBS has implemented managerial, physical, and technical\ncontrols to effectively mitigate risks inherent to sensitive but unclassified building information in\nonline systems.\n\nTo accomplish this audit objective we performed fieldwork primarily in PBS\xe2\x80\x99s National Office,\nNational Capital Region, Southeast Sunbelt Region, and Mid-Atlantic Region. During\nfieldwork, we performed the following tasks:\n\n      \xe2\x80\xa2    Obtained background information including Office of Management and Budget Circulars\n           and memoranda; National Institute of Standards and Technology (NIST) publications; the\n           Federal Information Security Management Act (FISMA); GSA Information Technology\n           (IT) Security Policy, (GSA CIO P 2100.1D, dated June 21, 2007 and CIO P 2100.1E,\n           dated July 2, 2009); and prior GSA Office of Inspector General audit reports.\n\n      \xe2\x80\xa2    Reviewed e-PM vendor documentation including stated security features, such as access\n           controls for data and functions.\n\n      \xe2\x80\xa2    Obtained internal PBS documentation including PBS FISMA Certification and\n           Accreditation (C&A) documentation.\n\n      \xe2\x80\xa2    Interviewed PBS National and Regional officials to determine what controls they have in\n           place to ensure the security of sensitive building information in online systems.\n\n      \xe2\x80\xa2    Interviewed GSA senior agency information security officials.\n\n      \xe2\x80\xa2    Examined GSA\'s groupware environment to identify sensitive but unclassified data, as\n           well as links to this data that may exist therein, that may be vulnerable to unauthorized\n           access.\n\n      \xe2\x80\xa2    Reviewed six judgmentally selected PBS construction projects using electronic project\n           management (e-PM) tools 1 provided by various software vendors and application service\n           providers to determine\n\n                        o If the projects contained sensitive but unclassified information, and the\n                          nature of that information;\n                        o The basis for e-PM vendor selection;\n                        o The actions PBS project teams took to ensure the e-PM application/system\n                          met applicable GSA/PBS security requirements;\n                        o If contract language stated responsibilities for safeguarding GSA data,\n                          including sensitive but unclassified information;\n\n1\n    One of these e-PM tools was being used for over 50 projects and had over 900 users.\n\n\n\n                                                           2\n\x0c                  o If contract language provided GSA vulnerability testing rights; and\n                  o The procedures for data archival at project completion.\n\nThe audit work was conducted between September 2008 and December 2009. We conducted\nthis performance audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objectives.\n\n\n\n\n                                              3\n\x0cRESULTS OF AUDIT\nThe General Services Administration (GSA) Public Buildings Service (PBS) needs to improve\nits controls over sensitive building information in online environments to reduce the risk of\ninappropriate disclosure of information that may result in harm to people or property. In\nparticular, electronic project management (e-PM) technologies and groupware, such as intranet\nwebsites, present a vulnerability that needs to be addressed through stronger controls.\n\nAlthough PBS has used e-PM technologies since at least 1998, the systems have been used and\nacquired independent of the PBS security program. As a result, PBS has not had the security in\nplace to ensure that there are adequate safeguards over sensitive building information. The use\nof these e-PM technologies grew out of a need to electronically share data between PBS and its\ncontractors for construction projects. Prior PBS policy placed responsibility for the security\nessentially with its construction project managers; however, no support, training, or guidance\nwas provided to assist in implementing security controls. Further, most contractual agreements\nwith the providers of the e-PM solutions in our audit sample did not include language to enforce\nIT security requirements, such as requiring the systems to be FISMA compliant or provide for\ntesting rights. These clauses are necessary to ensure the security and availability of vital building\ninformation.\n\nPBS is currently conducting a pilot for a new enterprise-wide e-PM tool that will be physically\nlocated in an internal data center. Many of the security related concerns raised in this review\nappear to be addressed in the contractual language for the new enterprise-wide e-PM system.\nHowever, until the new system is fully implemented, the risk that sensitive but unclassified data\nis not adequately protected still exists for e-PM applications.\n\nIn addition to the e-PM technologies issue, we found multiple instances of inadequately\nprotected sensitive data during our testing of PBS\xe2\x80\x99s groupware/intranet controls, such as building\nplans in regional web sites. This suggests a lack of awareness among PBS personnel regarding\nbasic sensitive information security principles.\n\nOverall, PBS needs to place a greater emphasis on security over its sensitive building\ninformation in online environments. In particular, PBS needs to develop and implement a\nsecurity strategy for existing e-PM applications and any that may be employed in the future.\nPBS also needs to conduct more security awareness training to raise the level of attention to\nonline data security within the organization.\n\nAlthough PBS has used e-PM technologies since 1998, the systems have been used and\nprocured independent of PBS\xe2\x80\x99s security program.\n\nThe e-PM tools are secured web-based applications that are used for 1) team communication and\ndocument management; 2) work flow and process automation, and; 3) project management of\ndesign and construction activities. Also known as \xe2\x80\x9cConstruction Project Extranets,\xe2\x80\x9d these\ntechnologies offer communication platforms, project management functionalities, and hosted\ncollaboration spaces for architecture, engineering, and construction projects, which are usually\nhosted by application service providers. By using e-PM applications, all project team members\n\n\n                                                 4\n\x0chave access to the same information at the same time, from any location, which improves project\ntimeliness, accuracy, and efficiency. Standardization allows for efficient training, optimization\nof tool utilization, and consolidation of all project information for better program management.\nAdditionally, a complete audit trail of communications, activities, and dates is generated,\nreducing claim risks.\n\nAt PBS, a reduction in administrative tasks, improvement in request for information turnaround\ntime, and the ability to measure project performance based on the national measures for budget\nand schedule have all been noted as benefits of e-PM technologies. Although PBS has no formal\nnational policy regarding e-PM technology, regional executives have been encouraged to\nadvocate their use and PBS encourages its project managers to take advantage of the many\nbenefits e-PMs afford.\n\nEven though PBS project teams have used many e-PM technologies for over a decade, the\nsystems have not been under the purview of a security program. Prior PBS policy assigned e-\nPM security to system users; however, no support or guidance was set up to implement security\nrequirements. Further, the e-PM applications were acquired using multiple arrangements\nwithout input or oversight by IT security staff. As a result of the lack of oversight, security\ncontrol testing and system monitoring were not performed and Federal Information Security\nManagement Act (FISMA) compliance was not addressed. In addition, security requirements\nwere not addressed in contracts in cases where contractors provided e-PM software.\n\nPrior policy assigned security responsibilities to users.\n\nUntil its revision, the March 2002 GSA Order, PBS 3490.1 (PBS 3490.1) entitled, \xe2\x80\x9cDocument\nsecurity for sensitive but unclassified paper and electronic building information,\xe2\x80\x9d placed\nresponsibility for e-PM security with system users; essentially construction project managers as\nwell as other project team members. According to the policy that remained in effect until June\n2009, authorized users of project extranets for e-PM applications that transfer sensitive but\nunclassified building information were required to verify and certify to the Government\nContracting Officer that physical and technical GSA security requirements, as determined by the\nPBS CIO, were met.\n\nBased on the policy, the authorized users had to determine the adequacy of the technical security\ncontrols in the e-PM products under consideration. However, additional guidance or technical\nsupport was not set up to assist the users. For example, PBS had not established a list of\napproved e-PM vendors, specific guidance on required e-PM security features, or procedures for\nPBS CIO involvement in the e-PM acquisition process to facilitate this verification and\ncertification process.\n\nIn addition, none of the project managers, contracting officers, or project executives we\ninterviewed during our review received training beyond the standard periodic GSA CIO IT\nSecurity Awareness Training for GSA Employees. As was previously reported in the September\n2008 OIG report (Report Number A070216/P/R/R08005), the majority of PBS staff interviewed\nwere aware of PBS\xe2\x80\x99s sensitive but unclassified policy, but few had received formal training in\nthe requirements and how to implement them. Consequently, there are no personnel with\n\n\n                                                  5\n\x0csignificant security responsibilities assigned to these extranet-based applications that have the\nadvanced technical security training required to fulfill these security responsibilities. Given this\nsituation, none of the project teams in our sample confirmed that the required verifications and\ncertifications were performed.\n\nIn June 2009, the policy was revised. The new policy, PBS 3490.1A, requires PBS associates to\nadhere to encryption, sanitization/disposal, and incident handling. However, the new policy does\nnot specifically discuss the IT security responsibilities for e-PM applications. According to the\nPBS OCIO, it is now responsible for the security of these applications.\n\nMultiple sources for e-PM applications create oversight issues.\n\nThe e-PM applications being used by PBS were provided through multiple arrangements. In\nsome cases, PBS acquired and owned the application. In other cases, the e-PM software being\nused on a project was provided by one of the contractors on the projects, such as the\narchitect/engineer, the construction manager, or the general contractor. Since these e-PM\nsystems were not procured through an information technology vehicle, they had no visibility in\nGSA\'s annual Office of Management and Budget Exhibit 53, which identifies GSA\xe2\x80\x99s IT\ninvestment portfolio.\n\nWhile certain e-PM systems were under PBS\xe2\x80\x99s control and all the e-PM software packages had\nstated security features, the PBS OCIO was not consulted by the project teams for any of the\nprojects in our audit sample prior to the implementation of the e-PM tools. In some cases,\nproject personnel were assisted by knowledgeable internal business line technical support, but\nthere was no formal process for their involvement. In addition, internal business line technical\nsupport did not get involved if an architectural/engineering firm or construction manager owned\nthe e-PM system, as was the case in three of our six sample projects.\n\nSince the applications were not under the purview of a security program, oversight and security\nmeasures were not implemented and FISMA was not addressed.\n\nWhile PBS officials have solicited information regarding the use of e-PM solutions in the\nregions, the identification and security controls testing and monitoring of these applications has\nnot occurred. As of July 29, 2008, neither the GSA OCIO nor the PBS OCIO had an inventory\nof the e-PM applications being used at PBS. Given that neither office was involved in the\nselection or acquisition of the e-PM systems, they could not determine whether the e-PM\nsystems meet applicable agency security requirements. As of December 8, 2009, security\nofficials for these e-PM systems had not been assigned. Without these systems being identified,\ntested, and monitored, PBS does not have adequate assurance that the risks inherent to systems\ncontaining sensitive building information have been kept to an acceptable level.\n\nA central tenet to providing security for systems is assurance of confidentiality, integrity,\navailability, and accountability of systems through risk-based management. Security control\ntesting and monitoring would be part of the controls for risk-based management, however, these\ncontrols were not implemented for existing e-PM systems. Vulnerability testing conducted by\nthe GSA CIO, as described in GSA CIO P 2100.1E, usually includes vulnerability scanning of\n\n\n                                                 6\n\x0coperating systems, databases, and web applications on a quarterly basis, or when significant new\nvulnerabilities potentially affecting the system are identified and reported. Although some of the\ninternally supported e-PM applications have implemented vulnerability scanning since we\ninitiated this review, none of the externally supported or owned e-PM systems have conducted\nthese tests. Since the effectiveness of security controls in these existing applications are not\nroutinely monitored and evaluated against known vulnerabilities and configuration issues, PBS\xe2\x80\x99s\nsensitive building information could be vulnerable to unauthorized access.\n\nMany of the e-PM applications used at PBS were not compliant with FISMA. FISMA requires\neach agency to develop, document, and implement an agency-wide information security program\nthat provides information security for the information and information systems that support the\nagency, including those provided or managed by another agency, contractor, or other source. In\naddition to other requirements, this program must include a risk assessment addressing\nunauthorized access, use, disclosure, disruption, modification, or destruction of information and\ninformation systems, a system security plan, security awareness training, periodic control testing,\na remedial action process to address any deficiencies in the information security policies,\nprocedures, and practices of the agency, an incident response process, and a business continuity\nplan. Office of Management and Budget Memorandum M-07-19, \xe2\x80\x9cFY 2007 Reporting\nInstructions for the Federal Information Security Management Act and Agency Privacy\nManagement,\xe2\x80\x9d dated July 25, 2007, states that FISMA applies to services which are fully or\npartially provided, including agency hosted, outsourced, and software-as-a-service (SaaS)\nsolutions. In support of these requirements, GSA CIO P 2100.1E requires that every IT system,\nboth Government and contractor operated, must undergo a security control review annually2 .\n\nSince initial deployment, existing e-PM applications continue to operate without FISMA\ncertification and accreditation. As of December 8, 2009, security officials for these e-PM\nsystems, as outlined in GSA CIO P 2100.1E, have not been assigned. Although the contract for\nthe new enterprise-wide e-PM system requires the offeror to work with PBS on the e-PM FISMA\ncertification and accreditation (C&A), the existing e-PM systems may still be at risk.\n\nWhen e-PMs were provided by contractors, the contracts did not include security requirements.\n\nWhen e-PM software being used on a project is provided by one of the contractors on the project,\nsuch as the architect/engineer, the construction manager, or the general contractor, the contract\nshould address requirements associated with the confidentiality, integrity, and availability of\nsensitive building data in the application. At the project level, PBS system owners, along with\nthe contracting officer and system program managers, share in the responsibility for ensuring IT\nsecurity requirements are included in IT contracts or contracts including IT requirements,\naccording to GSA CIO P 2100.1E. Although two of the projects sampled in our review\nreferenced PBS sensitive but unclassified information policy, none of the sampled contracts\ncontained direct references to GSA CIO IT security policy, which imposes a robust set of control\nrequirements to protect GSA\xe2\x80\x99s information and information systems. Without GSA CIO IT\n\n2\n Annual reviews must use the current version of NIST SP 800-53, "Recommended Security Controls for Federal\nInformation Systems," and CIO IT Security 04-26, "FISMA Implementation." Note that NIST SP 800-53 Revision\n2 was released in December 2007.\n\n\n\n                                                     7\n\x0csecurity requirements specified in existing e-PM contracts, providers of e-PM solutions or\nsupport may not provide appropriate safeguards to prevent unauthorized users from accessing\nsensitive building information.\n\nFour control areas were assessed when reviewing contractual agreements as part of this audit:\nGSA CIO IT security policy adherence, security control testing rights, archival data availability,\nand requirements for the proper handling of sensitive but unclassified building (SBU) data. For\nthe six sample projects in this review, none of the contracts included GSA IT security policy\nrequirements or security control testing rights. Only one contract established data archival\nrequirements.    Only two contracts contained sensitive but unclassified data handling\nrequirements as defined by PBS policy. As a result, the existing e-PM systems have not been\nproperly tested for the required technical, operational, and managerial controls necessary to\nensure the confidentiality of sensitive data and may still pose a security risk.\n\nOnly one of the six contracts sampled during our review utilized an in-house e-PM application\non an internally owned and administered hardware and software platform 3 . After the audit\nfieldwork identified the application, PBS conducted security testing on the application. PBS has\nnot conducted security testing on the other five sample projects, which are either fully or\npartially supported by non-GSA resources. None of these contracts provide PBS with security\ncontrol testing rights. Consequently, GSA does not have a contractual right to conduct testing\nwhere the risk to sensitive building data is at its highest. GSA CIO P 2100.1E requires GSA task\norders and contracts to allow the government or its designated representative (i.e. third party\ncontractor) to review, monitor, test, and evaluate the proper implementation, operation, and\nmaintenance of the security controls; including, but not limited to, documentation review, server\nconfiguration review, vulnerability scanning, physical data center reviews, and operational\nprocess reviews. Until the existing contracts are amended to include security control testing\nrights for PBS, the effectiveness of the security controls in externally supported e-PM\napplications is uncertain.\n\nConstruction project data must be available after a project is complete to address any outstanding\nlegal issues, including potential litigation, and to support future efforts regarding the facilities\ninvolved in the project. Additionally, data loss can arise from disaster, hardware failure,\nsabotage, etc. Proper data archival helps to address these risks. However, four out of five of the\nexternally supported e-PM contracts in our sample did not have archival requirements for project\ndata.\n\nThe September 2008 OIG report observed that many contracts did not include the contractor\xe2\x80\x99s\nresponsibility to use reasonable care to protect sensitive building information. In the current\nreview, only two of the sampled projects\xe2\x80\x99 contracts referenced PBS sensitive but unclassified\ndata protection policy. As such, the contracts for the other e-PM solutions currently utilized in\nPBS construction projects did not have the PBS sensitive but unclassified data handling\nrequirements necessary to provide the awareness and accountability needed to protect sensitive\nbuilding information.\n\n\n\n3\n    This e-PM tool was being used for over 50 projects and had over 900 users.\n\n                                                           8\n\x0cAlthough PBS\xe2\x80\x99s new e-PM system should correct many of these risks, until its development is\ncomplete and adopted by all projects, risks will remain.\n\nPBS is in the pilot phase of a new enterprise-wide e-PM system implementation that should\naddress Federal, GSA CIO and PBS security requirements. The contract for the new system\nincludes provisions for the certification and accreditation of this application according to FISMA\nrequirements. The contract for the new e-PM system also appears to be in compliance with GSA\nCIO IT security policy and related procedural guides, including vulnerability testing, and PBS\nsensitive but unclassified policy requirements. The new enterprise-wide e-PM contract addresses\narchival requirements and PBS will control physical custody of the system. The new enterprise-\nwide e-PM contract language addresses both PBS security requirements and GSA CIO security\npolicy. Furthermore, these requirements are carried over to subcontractors. This new system\nwas expected to be available for use on construction projects funded through the American\nRecovery and Reinvestment Act of 2009. However, the system\xe2\x80\x99s development has yet to be\ncompleted and fully implemented. Until the new e-PM system is fully adopted by all of the PBS\nproject teams and the use of other e-PM applications ceases, the security vulnerabilities will\nremain and PBS will need to develop a security strategy to mitigate these risks.\n\nSensitive data found on GSA internal web-sites indicates the need for additional security\ntraining and awareness.\n\nPBS 3490.1A notes, \xe2\x80\x9cDisseminators of SBU building information are responsible for providing\nthe first line of defense against misuse,\xe2\x80\x9d and requires employees to have security training on the\nprocedures in the order. GSA policy also requires all GSA personnel and contractors to receive\nannual IT security awareness training as part of its overall security program. Those personnel\nwith significant security related responsibilities must receive the applicable training necessary to\ncarry out their duties as well. A lack of familiarity with GSA\xe2\x80\x99s security policy may lead to\nindividuals inadvertently making sensitive data available to unauthorized users.\n\nVulnerabilities identified during OIG control testing suggest a lack of awareness regarding what\ncomposes sensitive building information and proper use of the applicable technical, managerial,\nand operational security controls necessary to protect such information. During control testing\nconducted in May 2007 through July 2007 by the GSA OIG, access control weaknesses were\nidentified in a number of databases, including a PBS Project Information Portal (PIP). This\nportal included sensitive design documents, housing plans, floor plans, financial data, and\nphotographs of PBS construction projects. Corrective security measures have since been\nimplemented.\n\nAs part of this review, further control testing was performed in November 2008 on PBS internal\ngroupware and intranet sites. This control testing identified vulnerabilities regarding sensitive\nbuilding information. Examples of the data found included building plans with secure functions\nidentified, a report on the structural analysis of a Federal building, links to the Customer Profile\nSystem (CPS), and banking information for contractors. The OIG immediately provided PBS\nofficials with the relevant details, including the regional Insite 4 websites examined, and the\n4\n InSite is a federal government computer system, for official use only, by GSA employees and contractors with\nnetwork access through GSA systems. Insite is not accessible to the general public.\n\n                                                        9\n\x0csystem or application concerned. Out of 35 total applications/links/web pages identified that\nmay potentially be storing or processing sensitive but unclassified building data, 24 (68.6\npercent) did not have any further access controls established, outside of a user having access to\nGSA Insite. As such, these 24 applications/links/web pages were not restricting access based on\nthe concept of "need-to-know." In response to our testing results, PBS officials have emphasized\nto employees the need to protect sensitive building information and corrective measures have\nbeen implemented or are in progress at this time to reduce or eliminate these vulnerabilities.\nThese incidents suggest the need for additional and continuing information security awareness\ntraining.\n\nCONCLUSION\nPBS needs to improve the security over sensitive building information in online environments to\nreduce the risk of inappropriate disclosure of information that may result in harm to people or\nproperty. In particular, PBS needs to emphasize security for electronic project management (e-\nPM) technologies, groupware and intranet websites.\n\nWhile e-PM technologies have been in use for years, PBS project personnel have been using and\nacquiring these applications independent of the PBS security program. As a result, PBS has not\nhad the security in place to ensure that these applications have adequate technical security\ncontrols to safeguard sensitive building information. Although PBS has made considerable\nprogress toward the implementation of an enterprise-wide e-PM system that will manage many\nof the risks highlighted in this report, security risks will continue with existing e-PM\ndeployments as well as any that are used in the future. Given this situation, PBS needs to work\nwith the GSA OCIO to develop and implement a security strategy for current and future e-PM\napplications and PBS also needs to ensure that its enterprise-wide e-PM application meets\nsecurity requirements.\n\nWith regard to groupware, the multiple instances of inadequately protected sensitive data\nencountered during the OIG\xe2\x80\x99s testing of PBS\xe2\x80\x99S groupware/intranet controls suggests a lack of\nawareness among PBS personnel regarding basic sensitive but unclassified information security\nprinciples, such as only providing information to those individuals with a legitimate need for\naccess. As such, PBS needs to conduct more security awareness training to raise the level of\nattention to online data security within the organization.\n\nRECOMMENDATIONS\nWe recommend that the PBS Commissioner\n\n1) Work within the framework of the GSA OCIO security program to develop and implement a\n   security strategy for e-PM applications. The security strategy should address\n\n   a) The identification and development of the inventory of e-PM applications currently in use\n      that are not under the purview of a security program;\n\n\n\n\n                                               10\n\x0c   b) Security control testing on existing e-PM applications and procedures for ongoing\n      monitoring and correction in order to manage the risk of harm that could result from the\n      unauthorized access, use, disclosure, disruption, modification, or destruction of the\n      sensitive data contained in these applications or the unavailability of the applications\n      themselves;\n\n   c) IT security roles for existing PBS e-PM applications as required by GSA CIO P 2100.1E\n      and identify FISMA points-of-contact for the FISMA points-of-contact list published by\n      the GSA OCIO;\n\n   d) Procedural guidance to the Contracting Officer, Contracting Officer Technical\n      Representative, Project Manager and Project Executive related to IT contracts or\n      contracts containing IT, considering PBS 3490.1A, GSA CIO P 2100.1E, and other GSA\n      CIO procedural guides;\n\n   e) Policies and procedures for PBS OCIO oversight during entire system lifecycle for any\n      project using electronic project management tools; and\n\n   f) The amendment of existing contracts, where feasible, related to the acquisition of\n      electronic project management services and development of boilerplate contract language\n      that includes\n\n       i)     Current applicable GSA, PBS, and Federal laws, regulations, and policy;\n       ii)    Security control assessment rights;\n       iii)   Requirements for the inclusion of security requirements in subcontracts; and\n       iv)    Project data archival requirements.\n\n2) Develop and conduct additional security awareness training for project management and\n   contracting personnel, especially to those with significant security responsibilities. Include a\n   focus on requirements for extranet based e-PM applications where appropriate, a review of\n   PBS sensitive but unclassified policy, and instruction on the protection of sensitive but\n   unclassified data in PBS groupware/intranet environments.\n\nMANAGEMENT COMMENTS\nManagement generally concurred with the report recommendations.\n\n\nINTERNAL CONTROLS\nAs discussed in the Objective, Scope, and Methodology section of this report, the review focused\non whether PBS has adequate controls in place to protect sensitive building information in online\nenvironments. Related management control issues are discussed in the context of the review\nfindings.\n\n\n\n                                                  11\n\x0cAudit of PBS\xe2\x80\x99s Controls over Security of Building\n       Information in Online Environments\n         Report Number A070216/P/R/R10003\n\n                    Appendix A\n\n                Management Response\n\n\n\n\n                       A-1\n\x0c             Audit of PBS\xe2\x80\x99s Controls over Security of Building\n                    Information in Online Environments\n                          Report Number A070216/P/R/R10003\n\n                                           Appendix B\n\n                                      Report Distribution\n\n                                                                              Copies\n\nCommissioner, Public Buildings Service (P)                                      1\n\nOffice of the Chief Information Officer (IS)                                    1\n\nRegional Administrator, National Capital Region (WA)                            1\n\nRegional Administrator, Southeast Sunbelt Region (4A)                           1\n\nRegional Inspector General for Auditing (JA-W, JA-4)                            2\n\nRegional Inspector General for Investigations (JI-W, JI-4)                      2\n\nDeputy Assistant Inspector General for Information Technology Audits (JA-T)     1\n\nOffice of Inspector General (J)                                                 4\n\nAssistant Inspector General for Auditing (JA, JAO)                              2\n\nAssistant Inspector General for Investigation (JI)                              1\n\nDirector, Internal Control & Audit Division (BEI)                               1\n\n\n\n\n                                               B-1\n\x0c'